Further thoughts on social engineering

I've been saying a lot about social engineering lately. Part of the reason for that is that social engineering is the sole largest threat for many corporate networks. It doesn't matter how much technology you have in place to secure your data; if social engineering attacks are successful, you will be breached.

Recently I read about an example of social engineering done purely for fun and glory (i.e., the target was not actually harmed), conducted at DEFCON 20 last month as part of a “capture the flag” contest. The object of the contest was to use completely non-technical means to convince real targets to give up certain types of company information. The article that I read covered one contestant's successful gambit to convince a high-level store employee at Wal-Mart to give him key information. Each piece of information was a “flag”, and the hacker in the article captured every single one.

This was only a contest, and no actual harm was done; there was no reason for anyone to even find out about it, due to the way the hacker played the scenario. Doubtless the fact that the target was in a small town, where perhaps people are more trusting of perceived authority figures, helped the hacker achieve his goal. But most social engineers rely on that exact quality --- trust in perceived authority figures --- to get the information they want.

“Perceived authority” doesn't necessarily mean that the person trying to solicit information has the ability to give you orders. It can mean someone in a position (such as a help desk admin) that you're used to giving certain types of information to, or it can mean someone who seems to have a lot of information on a subject that you're very interested in. The idea is not to scare you into giving up information; rather, it's to make you want to give it because you trust the person you're talking to.

In the movie What Women Want, Mel Gibson's character has an advantage over Helen Hunt's in that he can actually read her mind, something that is pretty unlikely. But he doesn't merely read her thoughts; he uses them to get close to her and make her trust him so that it will be even easier to push her out of her job. That is exactly what social engineers are doing; they are anticipating your thoughts or behavior patterns in order to make you trust them and, ultimately, give them what they want. The fact that it works over and over is as hard to believe as the idea that Mel Gibson can hear Helen Hunt's thoughts, until you see it in action.

In my first article on social engineering I mentioned that I disagreed with a colleague who advocated a purely technical approach to securing against social attacks. He was saying that training personnel wasn't useful, and my position is that it can be made more useful by tailoring the type of training given to the person it's being given to, rather than giving everyone the same training. To add to that idea, I'd suggest what the military refers to as “tabletop exercises”, where the trainer and the trainees verbally run through the scenarios they might expect to encounter (usually around a conference table, hence the name). Actually acting out the scenario can suggest other scenarios, plus it can keep the results fresh in the trainees minds.

In any event, whenever somebody you don't know asks you for information, or suddenly tries to get close, you should verify that person's identity. You may have a lot to lose, no matter how innocuous their request may seem.

Mary Ursula Herrmann

Mary Ursula Herrmann is a Network Security Analyst living in Juneau, AK. She has worked in Information Security for over 15 years, and obtained her CISSP in 2005.